isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix a NOPASSWD issue with a non-existent command when fdexec=always

Browse Source 
In command_matches_all(), if the command is fully-qualified and
open_cmnd() return false, only treat it as an error if we are able
to stat(2) the command.  For "sudo ALL" a non-existent command is
not an error.
This commit is contained in:
Todd C. Miller
2022-07-07 20:11:44 -06:00
parent 41e7532c90
commit 5a59ce159e
1 changed files with 5 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
plugins/sudoers/match_command.c
View File

@@ -392,11 +392,14 @@ command_matches_all(const char *runchroot,
if (user_cmnd[0] == '/') { if (user_cmnd[0] == '/') {
/* Open the file for fdexec or for digest matching. */ /* Open the file for fdexec or for digest matching. */
if (!open_cmnd(user_cmnd, runchroot, digests, &fd)) bool open_error = !open_cmnd(user_cmnd, runchroot, digests, &fd);
goto bad;
#ifndef SUDOERS_NAME_MATCH #ifndef SUDOERS_NAME_MATCH
/* A non-existent file is not an error for "sudo ALL". */ /* A non-existent file is not an error for "sudo ALL". */
if (do_stat(fd, user_cmnd, runchroot, &sb)) { if (do_stat(fd, user_cmnd, runchroot, &sb)) {
if (open_error) {
/* File exists but we couldn't open it above? */
goto bad;
}
if (!intercept_ok(user_cmnd, intercepted, &sb)) if (!intercept_ok(user_cmnd, intercepted, &sb))
goto bad; goto bad;
} }